IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

DEV: Remove unsafe-eval from development CSP (#8569)

Browse Source 
- Refactor source_url to avoid using eval in development
- Precompile handlebars in development
- Include template compilers when running qunit
- Remove unsafe-eval in development CSP
- Include unsafe-eval only for qunit routes in development
This commit is contained in:
David Taylor
2019-12-30 12:17:12 +00:00
committed by GitHub
parent df8444e813
commit bc4c40abd4
11 changed files with 33 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/content_security_policy/default.rb
View File

@@ -51,7 +51,6 @@ class ContentSecurityPolicy
"#{base_url}/mini-profiler-resources/",
*script_assets
].tap do |sources|
sources << :unsafe_eval if Rails.env.development? # TODO Remove this when we stop using `eval` in development mode
sources << 'https://www.google-analytics.com/analytics.js' if SiteSetting.ga_universal_tracking_code.present?
sources << 'https://www.googletagmanager.com/gtm.js' if SiteSetting.gtm_container_id.present?
end

7
lib/content_security_policy/extension.rb
View File

@@ -7,6 +7,13 @@ class ContentSecurityPolicy
{ script_src: SiteSetting.content_security_policy_script_src.split('|') }
end
def path_specific_extension(path_info)
{}.tap do |obj|
for_qunit_route = !Rails.env.production? && ["/qunit", "/wizard/qunit"].include?(path_info)
obj[:script_src] = :unsafe_eval if for_qunit_route
end
end
def plugin_extensions
[].tap do |extensions|
Discourse.plugins.each do |plugin|

5
lib/content_security_policy/middleware.rb
View File

@@ -15,8 +15,9 @@ class ContentSecurityPolicy
ContentSecurityPolicy.base_url = request.host_with_port if Rails.env.development?
theme_ids = env[:resolved_theme_ids]
headers['Content-Security-Policy'] = policy(theme_ids) if SiteSetting.content_security_policy
headers['Content-Security-Policy-Report-Only'] = policy(theme_ids) if SiteSetting.content_security_policy_report_only
headers['Content-Security-Policy'] = policy(theme_ids, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy
headers['Content-Security-Policy-Report-Only'] = policy(theme_ids, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy_report_only
response
end